Operations
12/20/2016
10:30 AM
Joshua Goldfarb
Joshua Goldfarb
Commentary
Connect Directly
Twitter
RSS
E-Mail vvv
50%
50%

20 Questions Security Pros Should Ask Themselves Before Moving To The Cloud

A template for working collaboratively with the business in today's rapidly changing technology environment.

Everywhere I go lately, the cloud seems to be on the agenda as a topic of conversation. Not surprisingly, along with all the focus, attention, and money the cloud is receiving, comes the hype and noise we’ve come to expect in just about every security market these days. Given this, along with how new the cloud is to most of us in the security world, how can security professionals make sense of the situation? I would argue that that depends largely on what type of situation we’re referring to, exactly. And therein lies the twist.

Rather than approach this piece as “20 questions security professionals should ask cloud providers,” I’d like to take a slightly different angle. It’s a perspective I think will be more useful to security professionals grappling with issues and challenges introduced by the cloud on a daily basis. For a variety of reasons, organizations are moving both infrastructure and applications to the cloud at a rapid rate - far more rapidly than anyone would have forecast even two or three years ago.

As security professionals, we are way beyond the point of simply being able to tell the business they cannot move certain things to the cloud. Instead, we need to work collaboratively with the business to mitigate the risks introduced by the changing business environment. Given that we find ourselves in this situation, we need a different approach. What are 20 questions security organizations should be asking themselves as the business moves to the cloud?

By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.
By DuMont Television/Rosen Studios, New York-photographer.Uploaded by We hope at en.wikipedia (eBay itemphoto frontphoto back) [Public domain], via Wikimedia Commons.

  1. Do we know how much it costs to build, maintain, and operate data centers? That is the first step to understanding the pressure the business is under.
  2. Have we opened up the lines of communication and listened acutely to the business?  Before we can expect the business to listen to us, we need to build bridges, gain trust, and listen to the business.
  3. Do we truly understand the needs of the business? It’s hard to convince the business that we have their best interests in mind when we don’t fully understand what that means.
  4. Do we knee jerk? We must be honest with ourselves to determine if we are truly behaving proactively, or if we are merely behaving reactively.
  5. Do we always say no? We must be careful not to be the program of no to a business that will increasingly roll its eyes and work around us.
  6. Are we focused on mitigating risk rather than simply playing whack-a-mole? We need to think holistically and strategically about mitigating risk. We don’t want to win the battle but lose the war.
  7. What infrastructure has been or will be moved to the cloud? It helps to know what infrastructure we are looking to protect when we set out to protect it.
  8. What applications have been or will be moved to the cloud? It also helps to know what applications we are looking to protect when we set out to protect them.
  9. Are we able to enumerate the top five or 10 risks introduced by the move to the cloud that concern us? That’s generally a good place to begin when looking to mitigate risk.
  10. Are we certain that the move to the cloud always introduces additional net risk? While it is true that certain risks may be introduced, it is also quite likely that some legacy risks may actually go away.
  11. Are we positive that we can secure something better than someone whose core business depends on it? Granted, not all cloud providers are equal, particularly when it comes to security. But if the provider takes security seriously, they can bring resources and economies of scale to securing our applications and data that we will never be able to bring.
  12. Is all really lost when applications move to the cloud? It is entirely possible that a new infrastructure will give us visibility into applications like we’ve never had before. But we have to involve ourselves as a friend of the business from the beginning.
  13. Are we focused on data? In the cloud, it’s more about protecting data, and less about protecting infrastructure and assets.
  14. Have we considered the economics of the cloud for our own internal security purposes? Not all security products and services need to be racked and stacked in-house anymore. In fact, some of the most interesting ones are cloud-based.
  15. Have we looked into simplifying our own security stack in the cloud? As technologies mature, it may make sense to take a strategic look at consolidating and simplifying security infrastructure as well.
  16. Have we looked into the efficiency gains and operational scale the cloud can bring us?  Trying to run a query across several months’ worth of data on a 2U vendor appliance can be painful. But with the scale that the cloud provides, that same query can return lightning fast.
  17. Do we have have the necessary visibility into infrastructure and applications in the cloud? If not, how do we plan to gain that visibility?
  18. Have we considered how we will retain response capability with the move to the cloud?
  19. Have we thought about looking to the endpoint as a potential source of visibility and control as the traditional enterprise infrastructure slowly disintegrates before our very eyes?
  20. Are we focused on the big picture? The cloud is relatively new and can seem a bit scary, but have we thought about the fact that if we do our homework properly, we may even end up with a better security posture than we had before the move to the cloud?

Nearly all security professionals today are grappling with the business moving to the cloud in one form or another. While a few years ago, the mere thought of this happening would have seemed nearly impossible, it is now the reality we live in. As security professionals, we owe it to ourselves to ensure we ask the right questions and make the right preparations as the landscape changes before us. Otherwise, we simply have our heads in the clouds.

Related Content:

Josh is an experienced information security leader with broad experience building and running Security Operations Centers (SOCs). Josh is currently co-founder and chief product officer at IDRRA. Prior to joining IDRRA, Josh served as vice president, chief technology officer, ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
12/20/2016 | 1:04:19 PM
Audit Yourself Even Before Implementation
This is a great list of questions.  When it comes to big tech moves from one platform to another, I believe acting as though you have the tech already and are about to have a Security audit helps answer lots of questions.  Using documents like Common Criteria, for instance, to walk through targets of evaluation either by using the technical documentation of the product(s), whitepapers on other implementations, documented exploits, and so on.  I've been reading Raymond Pompon's IT Security Risk Management which develops a thorough audit plan that could be used for such a purpose.  Security pros should approach every acquisition the same way they'd do working with a client.  Set yourself up for success and know that once you've done your soft audit, then implemented, you could have an auditor walk in and you'd pass with flying colors.
Register for Dark Reading Newsletters
Dark Reading Live EVENTS
INsecurity - For the Defenders of Enterprise Security
A Dark Reading Conference
While red team conferences focus primarily on new vulnerabilities and security researchers, INsecurity puts security execution, protection, and operations center stage. The primary speakers will be CISOs and leaders in security defense; the blue team will be the focus.
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: " I think Google Doodle is getting a little out of control"
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] Assessing Cybersecurity Risk
[Strategic Security Report] Assessing Cybersecurity Risk
As cyber attackers become more sophisticated and enterprise defenses become more complex, many enterprises are faced with a complicated question: what is the risk of an IT security breach? This report delivers insight on how today's enterprises evaluate the risks they face. This report also offers a look at security professionals' concerns about a wide variety of threats, including cloud security, mobile security, and the Internet of Things.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.